INTERNET PAYMENT SYSTEMS : INTERNET PAYMENT SYSTEMS Introduction : Introduction To make the e-commerce system functional, we also need to incorporate payment functions into the system
In the physical world, there are 4 types of payment methods
Credit/debit (Fund Transfer) Major Internet Payment Methods : Major Internet Payment Methods Secure Electronics Transaction (SET) Protocol for implementing credit card payment
An Electronic Check system for supporting check payment
An Electronic funds transfer and Electronic Cash system for emulating physical cash payment
Micropayment methods and Smart card methods Features of Payment Methods : Features of Payment Methods Anonymity : whether the payment method is anonymous
Security : whether the payment method is secure
Overhead cost : the overhead cost of processing a payment Slide 5: Transferability : whether a payment can be carried out without the involvement of a third party
Divisibility : whether a payment can be divided into arbitrary small payments whose sum is equal to the original payment
Acceptability : whether the payment method is supported globally 4C Payment Methods : 4C Payment Methods Payment method should be
Having Low overhead cost
Anonymous Slide 7: Comparison of the 4C payment methods SET Protocol for Credit Card Payment : SET Protocol for Credit Card Payment The credit card is one of the most commonly used payment methods in e-commerce, in particular B2C e-commerce
Before the introduction SET protocol, secure credit card payment was usually carried out over an SSL connection Slide 9: Advantage of SSL :
It ensures the secure transmission of credit card information over the internet
Disadvantage of SSL :
It is not a complete credit card payment method
For example, it cannot support on-line credit
SET is specially developed to
provide secure credit card
payment over the internet
It is now widely supported
by major credit card companies
including Visa and MasterCard Slide 10: SET aims at satisfying the following security requirements in the context of credit card payment :
Confidentiality - Sensitive messages are encrypted so that they are kept confidential
Integrity - Nearly all messages are digitally signed to ensure content integrity
Authentication - Authentication is performed through a public key infrastructure SET network architecture : SET network architecture SET network architecture : SET network architecture Merchant : a seller, which is connected to an acquirer
Cardholder : a registered holder of the credit card who is a buyer
Issuer : the bank that issues the credit card to a cardholder
Acquirer : the bank that serves as an “agent” to link a merchant to multiple issuers Slide 13: A merchant can process various credit cards through a single acquirer
Payment Gateway : This is typically connected to the acquirer
The payment gateway is situated between the SET system and the financial network of the current credit card system for processing the credit card payment SET Digital Certificate System : SET Digital Certificate System Dual signature generation and verification : Dual signature generation and verification In the physical credit card system
the Payment Instructions (PI) including the cardholder’s credit card number and signature are not kept confidential
data integrity can basically be ensured by using printed receipts
cardholder’s authentication relies on simple signature checking only Slide 16: In an electronic credit card system
the Order Information (OI) and PI can be digitally signed to ensure data integrity
the sensitive credit card information may still be disclosed to other people
SET introduces a novel method called the dual signature (DS) to ensure data integrity while protecting the sensitive information : The merchant is provided with OI, H[PI], and DS
The dual signature can be verified as follows :
Step 1 : The merchant first finds
H[ H[PI] || H[OI] ] How the merchant and the payment gateway can verify the DS ? Slide 19: Step 2 : He then decrypts the digital signature with the cardholder’s public signature key as follows :
DRSA[ DS | keypublic_sign, cardholder ]
keypublic_sign, cardholder public signature key of the cardholder Slide 20: Step 3 : Finally, he compares the two terms H[H[PI] || H[OI]] and
DRSA[DS | keypublic_sign,cardholder ]
They should be the same if the transmitted DS has not been changed; otherwise the order is not valid Slide 21: The payment gateway is provided with PI, H[OI], and DS
By using the dual signature method, each cardholder can link OI and PI while releasing only the necessary information to the relevant party
If either the OI or PI is changed, the dual signature will no longer be valid Slide 22: DIGITAL ENVELOPE Slide 23: A random DES key (keyrandom) first generated to
encrypt the message, i.e. EDES[M I keyrandom]
keyrandom is then encrypted by the VBS's public
key_exchange key, say keypublic_exchange i.e.
ERSA[keyrandom I keypublic_exchange.VBS]
EDES[M I keYrandom1 and ERSA[keYrandom I
keYpuhlic_exchange.VBSl are sent to the VBS Slide 24: To obtain the message M, VBS first obtains
keyrandom by decrypting ERSA[keYrandom I keYpuhlic-
exchange,VBS] i.e. DRSA [ERSA[keYrandom I keYpublic-
exchange,VBS1 I keyprIvate_exchange,VBS = keyrandom,
where keYprivate-exchange,VBS denotes the private
key- exchange key of the VBS
After obtaining keyrandom the VBS can obtain M
by decrypting EDES[MI keyrandom], i.e. to find
DDES[EDES[M I keYrandom1 I keyrandom] =M Slide 25: SET PROTOCOL Slide 26: SET protocol has four phases: initiation,
purchase, authorization, and capture
First the cardholder sends a purchase initiation
request to the merchant for initializing the
Then the merchant returns a response
message to the cardholder Slide 27: In the second phase, the cardholder sends the
purchase order together with the payment
instruction to the merchant
In the third phase, the merchant obtains the
authorization from the issuer via the payment
Finally, the merchant requests a money transfer
to its account PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION The merchant needs to obtain payment authorization from the acquirer
The authorization request consists of :
Message digest of order description
Other transaction information PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION The authorization request is encrypted by using Key B.
Key B is then encrypted by using public key-exchange key of the payment gateway to form the digital envelope PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION The merchant sends the following to the payment gateway :
The encrypted authorization request and the encrypted key B
Cardholder’s and merchants certificates
The following information as received from the cardholder :
PI + DI +H[OI] (all encrypted using key A)
Key A + cardholder information (all encrypted using the payment gateway’s public key-exchange key) PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION After receiving the authorization request ,the payment gateway processes it as follows
Obtain key B by means of decryption and uses it to decrypt the authorization request
Verifies merchant’s certificates and digital signature on the authorization request
Obtain key A and the cardholder information by means of decryption
Uses key a to obtain the PI, DS and H[OI]
Verifies the DS accordingly PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION The payment gateway also verifies that the received transaction ID is the same as the one in the PI
By checking the order description in the authorization request message, it can be verified that the order has been accepted by the cardholder and the merchant PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION Upon all successful verifications, the payment gateway forwards the authorization request to the issuer via the current payment system
After the receiving the authorization from the issuer through the current system, the payment gateway sends an authorization response to the merchant PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION The payment gateway sends the following to the merchant :
Signed authorization response (encrypted by Key C)
Key C( encrypted by merchant’s public key-exchange key)
Signed capture token (encrypted by key D)
Key D + cardholder information (encrypted by payment gateway’s public key-exchange key) PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION After receiving the authorization response from the payment gateway, the merchant obtains key C by decryption and uses it to decrypt authorization response
The merchant verifies the payment gateway’s certificate and the digital signature on the authorization response
After obtaining the authorization, the merchant then complete the order accordingly PAYMENT CAPTURE : PAYMENT CAPTURE To begin with the payment capture process, the merchant generates capture request that includes transaction ID, capture amount and other information about the capture request
The capture request is first signed by using the private key of the merchant and then encrypted with a random symmetric key E PAYMENT CAPTURE : PAYMENT CAPTURE E is then encrypted by using public key-exchange of the payment gateway to form the digital envelope PAYMENT CAPTURE : PAYMENT CAPTURE The merchant sends the following to the payment gateway :
Signed capture request (encrypted by using key E)
Key E (encrypted by using payment gateway’s public key-exchange key)
Signed capture token (encrypted by using key D)
Key D + cardholder information (encrypted by using payment gateway’s public key-exchange key)
Merchant’s digital certificates PAYMENT CAPTURE : PAYMENT CAPTURE After receiving the capture request, the payment gateway obtains key E by decryption and uses it to decrypt capture request
The payment gateway also verifies the digital signature of the capture request by using merchants public key PAYMENT CAPTURE : PAYMENT CAPTURE The payment gateway obtains key D by decryption, uses the key to decrypt the capture token, and verifies the capture token
After successful verification the payment gateway sends a payment transfer request to the issuer via the current system PAYMENT CAPTURE : PAYMENT CAPTURE The capture response created by payment gateway is signed by using its private signature key and is encrypted by random symmetric key F
F is encrypted by using merchant’s public key-exchange key to form the digital envelope PAYMENT CAPTURE : PAYMENT CAPTURE The payment gateway forwards the following information to the merchant:
Signed capture response (encrypted by key F)
Key F (encrypted by public key-exchange key)
Payment gateway’s digital certificates
After receiving the capture response, the merchant decrypts it accordingly and verifies the digital signature. SMART CARD : SMART CARD An Internet Payment Method.
First Generation Smart Cards-credit cards and bank cards.
Smart cards are “intelligent”,”interactive” and “interoperable”. COMPONENTS OF A SMART CARD : COMPONENTS OF A SMART CARD Central Processing Unit:-
8 bit microprocessor that controls the operation of the smart card.
Used to store temporary data.
Used to store long term data like cryptographic keys. Slide 45: ROM;-
Used to store permanent data such as the operating system.
It provides data input/output functions. Steps to manufacture a smart card : Steps to manufacture a smart card Step 1:The chip is fabricated.
Step 2:A module is produced by using the fabricated chip from step 1.
Step 3:The plastic card is manufactured.
Step 4:The module from step 2 is added to the plastic card.
Step 5:Data and programs are loaded into the chip.
Step 6:Personalized data is loaded into the chip. ISO 7816-4 : ISO 7816-4 It is a standard that defines the file system and communication protocol.
It specifies how a smart card can communicate with a smart card applicationlike a smart card reader by means of Application Protocol Data Units(APDU).
Also specifies a file system for smart cards:-
Dedicated file MONDEX : MONDEX It is a smart card payment system.
Devices provided by mondex include the following:-
Devices to transfer mondex money over
telephone networks and the internet.
Mondex card Mondex Protocol : Mondex Protocol It uses public key cryptography
Basic operation starts with a “handshaking phase” CONCLUSION : CONCLUSION An effective, secure and reliable Internet payment system is needed
Depending on the payment amount, different level of security is used Thank you! : Thank you!